We have McAfee 8.8 client installed on all of our Windows 7 workstations. We also have the ePO 4.x agent pushed out to all of our Windows 7 workstations. The problem is most of our workstations are pointing to our old ePO console, which was outsourced to a 3rd party. So 90% of our workstations are unmanaged and our contract with this company ended so we are unprotected at the moment.
Is there a way to "re-point" each workstation to our new ePO server? Someone said we need to uninstall everything using a script which seems a little silly, unless the ePO console can't handle this task.
So I ask this forum can the ePO console do this and if not what is the best method to get all workstations pointed to the correct ePO server?
Also, can the ePO console scan AD and when a new machine comes online Auto-Install the agents?
You can deploy agents from the new ePO server and choose "force install over existing version" (providing you have admin rights), it should do the trick
For the fact of detecting new systems, you can use RSD, which works by detecting ARP and DHCP request.
There are a couple of things you can do:
1. See if you can get the 3rd party to update the DNS record of the old ePO console to point to the IP of your new console.
The Agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO server. If you change any one of these, ensure that the Agents have a way to locate the server. The easiest way to do this is to retain the existing DNS record and change it to point to the new IP address of the ePO server. After the Agent is able to successfully connect to the ePO server, it downloads an updated SiteList.xml with the current information.
2. Utilize RSD. The 90% of un-managed machines should be showing up in your RSD console if you have a sensor listening on whatever subnet. I would setup an automatic response, Menu > Automation > Automatic Responses, to push the new agent to machines that match a certain criteria when detected by RSD.
3. Or see about what mbenali said, just re-install the agent over the old.
4. You could also use an Active Directory Sync task: that can be configured to push an agent to newly-imported machines. But is a bit of work to setup.
5. If you still have access to the old ePO, make the new ePO a registered server of the old and share the security keys - then you can transfer machines from the old > new.
To the best of my knowledge, the easiest way to re-point nodes in this day and age of Agents with security keys is to deploy the Agent from the new ePO server to those systems.
Assuming your system tree is already configured how you desire (typically segregation lines follow policy needs):
1.) Set up an AD sync point at a branch of the tree and point it to the AD OU's that you want to import into that branch.
a.) Rinse and repeat until you have all of the AD OU's accounted for that contain your intended targets.
b.) Now SYNC it!
c.) Inspect the nodes in the tree to ensure you brought over all the intended targets.
2.) Set up a server task to sync with AD every couple of hours or so to catch future additions to AD.
3.) Create a server task that executes the "Unmanaged Systems" query (typically found in the "System Management" McAfee groups) as the first action and deploys the Agent as a sub-action.
a.) check the box next to "Force installation over existing version"
b.) enter a credential to perform the install (Credential used must have local admin rights on the target nodes)
c.) click the "+" to add another sub-action and select "Wake Up Agents" from the drop menu.
i.) Randomization=10 minutes
ii.) Number of attempts=0 (continuous)
iii.) Abort after 5 minutes
iv.) Use "All Agent Handlers" from the drop menu
v.) Click both boxes: "Retrieve all properties..." and "Force complete policy..."
vi.) Retry interval of 30 secs.
vii.) Execute this every couple of hours or so.
4.) Inspect the server task log entries related to the server task from step 3 and verify that it is succeeding.
5.) Crack open a cold one and relax as ePO does all of the heavy lifting for you.
NOTE: I do anticipate that there will be nodes that ePO will be unsuccessful in migrating. For those, hopefully FEW, nodes you will need to use a different method...manual install by you, the user, or...? Or you could utilize SCCM/SMS/Etc...
Hope this helps.
Just as a note: generally speaking you should not select the "Force install over existing version" option. A normal install will quite happily replace the sitelist and keys, thereby pointing the client to the new server.
Is that the case if the Agent version used for migration to the new ePO infrastructure is the same as the version currently deployed to the target? If so, is there an Agent minimum version for this behavior?
Either way; I have experienced issues using the forceinstall option in possibly only very rare circumstances. By rare, I mean maybe once in the course of many years and thousands of installs. Even then I could not positively attribute the behavior I saw to the forceinstall switch and I definitely do like the remove the old crap and install fresh aspect of it. In my experience, the Agent is the most fragile piece of the "McAfee subsystem" (as I refer it). As such, I do not hesitate to use the command.
Good luck, mqh777. I hope you got all you need from the thread.
Yep, the behaviour is the same - I don't remember exactly when it was introduced but it was a while ago: either MA4.0 or 4.5, I believe.
If the installer sees that it's the same version it just replaces the sitelist and keys.
In some cases if I could not reach the machine from EPO I would remove the old frame work and just install it manually.
1. At the DOS prompt: cd\Program File\Mcafee\Common Framework\frminst /forceuninstall or cd\Program File (x86)\Mcafee\Common Framework\frminst /forceuninstall
2. create framepkg.exe from your EPO server.
3. Copy framepkg.exe to your C:\ drive
4. type in at root directory framepkg.exe
Allow the new frame work to check into the EPO server.
Hope this works
Again, there should be no need to remove the existing agent - especially not using the /forceuninstall option. Simply running the new framepkg will be enough to allow the client to communicate with the new server.
You are correct 100% You should be able to do that but sometimes you have to Manually do it. I've tried everything that your doing now and sometimes your need to touch some of these machines just to get it done. How many machines are you trying to deploy too